I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The ISO/IEC 17799 is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 (BS7799), which was published in the United Kingdom and became a de facto standard in the industry that was used to provide guidance to organizations in the practice of information security.

The British Standard actually had two parts: BS7799 Part I, which outlines control objectives and a range of controls that can be used to meet those objectives, and BS7799 Part II, which outlines how a security program can be setup and maintained. BS7799 Part II also served as a baseline which organizations could be certified against. An organization would choose to be certified against the BS7799 standard to provide confidence to their customer base and partners and be used as a marketing tool. To become certified, an authorized third party would evaluate the organization against the requirements in BS7799 Part II. The organization could be certified against all of BS7799 Part II or just a portion of the standard.

If you are familiar with the ISO 9000 series, this is the same type of idea. Organizations can choose to go through an ISO 9000 certification process, which means third party evaluators review the organization's business processes. After receiving a certification, this is used as bragging rights to indicate that the company has mature, repeatable and effective business processes.

These British Standard de facto standards were continually improved upon and accepted as ISO standards. The latest revision took place in June of 2005 where BS 7799 part II became ISO/IEC 27001:2005.

So, now we have ISO/IEC 17799:2005, which outlines the best practices of control objectives and controls in the following areas of information security management:

security policy

organization of information security

asset management

human resources security

physical and environmental security

communications and operations management

access control

information systems acquisition, development and maintenance

information security incident management

business continuity management

compliance

We also have ISO/IEC 27001:2005, which provides guidelines on how to build a security program that integrates the controls in ISO/IEC 17799:2005. ISO/IEC 27001:2005 was developed to be used for several purposes:

within organizations to formulate security requirements and objectives;

within organizations as a way to ensure that security risks are cost effectively managed;

within organizations to ensure compliance with laws and regulations;

within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;

by the management of organizations to determine the status of information security management activities;

by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;

by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;

implementation of business-enabling information security;

by organizations to provide relevant information about information security to customers.

So, ISO/IEC 17799:2005 is the newest version of BS7799 Part 1 and ISO/IEC 27001:2005 is the newest version of BS7700 Part II. ISO/IEC 27001:2005 provides the steps for setting up and maintaining a security program and ISO/IEC 17799:2005 provides a list of controls that can be used within the framework outlined in ISO/IEC 27001:2005.

ISO/IEC 27001:2005 basically lays out the following steps for an organization to follow:

Define an information security policy

Define scope of the information security management system

Perform a security risk assessment

Manage the identified risk

Select controls to be implemented and applied

Prepare an SoA (a "statement of applicability")

(The ISO/IEC 17799:2005 controls are an appendix of ISO/IEC 27001:2005.)

The SoA is where the organization specifies their ISO 27001 certification scope. The scope can include the whole company and its security program, or just a specific department within the company. Certification is optional, but there is more of a demand in the industry for suppliers and business partners to be complaint with this standard. This is because companies are having to depend upon each other more and more and if one company does not practice effective security measures, this can have a direct and negative affect on the other company.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy